Date: Tue, 17 Mar 2009 15:54:42 +0100 From: Paolo Pisati <p.pisati@oltrelinux.com> To: Alex Dupre <ale@FreeBSD.org> Cc: freebsd-ipfw@freebsd.org, Dmitriy Demidov <dima_bsd@inbox.lv>, Luigi Rizzo <rizzo@iet.unipi.it> Subject: Re: keep-state rules inadequately handles big UDP packets or fragmented IP packets? Message-ID: <49BFB9B2.9090909@oltrelinux.com> In-Reply-To: <49BF61E7.7020305@FreeBSD.org> References: <200903132246.49159.dima_bsd@inbox.lv> <20090313214327.GA1675@onelab2.iet.unipi.it> <49BF61E7.7020305@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Alex Dupre wrote:
> Luigi Rizzo ha scritto:
>> it is not related to dynamic rules, but to the fact that
>> that the firewall is called before reassembling packets.
>> The info (port numbers especially) is not available
>> in the fragments so the firewall cannot do anything.
>> The only solution would be to call the firewall
>> after reassembly. I am not sure if there is any work in progress
>> for that.
>
> FWIW pf has "traffic normalization" feature ("scrub" keyword), that
> reassembles packets before inspection. Unfortunately, it works with
> IPv4 packets, but lacks IPv6 support.
>
FYI i have a patch for ipfw nat that reassemble a packet before nat[*],
but if the idea of an explicit packet reassembly action sounds good, i
could move the code over there.
[*] actually the patch is really simple, it's just a call to ip_reass()
with some glue code, but nonetheless it could be used more globally.
--
bye,
P.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49BFB9B2.9090909>